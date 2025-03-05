Follow this guide to get started with Internal DNS.

Although there are some steps that can be achieved on the dashboard, currently the whole process can only be completed via API.

Before you begin

Note Internal DNS is currently in closed beta. Using it on production traffic is at your own risk. If you are interested in this product, contact your account team.

Make sure you have an Enterprise account with access to Gateway resolver policies and Internal DNS.

Consider the different ways in which you can connect to Gateway resolver.

If you are not familiar with how to use Cloudflare API, refer to Fundamentals.

If you will be using an API token for authentication, make sure you have the following permissions:

API token configuration Permissions Account - DNS Views - Edit

Zone - DNS - Edit

Account - Account Settings - Edit

Zone - DNS Settings - Edit

Zone - Zone - Edit Account Resources Include - (Your account) Zone Resources Include - All zones

1. Set up your internal DNS zone

Use the Create Zone endpoint to create an internal zone. Specify your account ID and set the type to internal .

Internal zone configuration conditions Internal zones can contain the same DNS record types that Cloudflare supports for public zones.

An internal zone can have the same name as a public zone in the same account.

Each internal zone can be linked to multiple views.

There can be several internal zones with the same name in one account. However, two internal zones with the same name cannot be linked to the same view.

Internal zones are not subject to any top-level domain (TLD) restrictions. This means that an internal zone can be created if its TLD is not registered publicly (for example, xyz.local ), if it is created on the TLD itself ( local ), or even if on the root ( . ).

Add DNS records to your internal zone using your preferred option:

Import a formatted BIND file. Refer to the DNS records how-to for guidance.

Use other API endpoints, such as /batch , to manage DNS records. Refer to Batch record changes for details.

Repeat this process for each internal zone you wish to add.

(Optional) Reference a zone from another zone

Use the Update DNS settings endpoint to add a reference from an internal zone to another internal zone. In --data , specify the internal_dns object with the parameter reference_zone_id . For details, refer to reference zones.

In the following example, internal zone A (ID 8a904aeb565c42cfa207d98f6edea2f3 ) is referencing internal zone B (ID 8e64c6fb4b514f3faf64de81efc11e51 ). Terminal window curl --request PATCH \ https://api.cloudflare.com/client/v4/zones/8a904aeb565c42cfa207d98f6edea2f3/dns_settings \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN " \ --header "Content-Type: application/json" \ --data '{ "internal_dns": { "reference_zone_id": "8e64c6fb4b514f3faf64de81efc11e51" } }'

2. Link your internal zone to a view

Since the resolver policy will require a DNS view, you must have at least one view to be able to route requests to internal zones.

Use the Create Internal DNS View endpoint. For each view you create, list all the internal zones that should be grouped under that view.

DNS view configuration conditions DNS views can be empty, with no internal zones linked to them.

A DNS view cannot contain public DNS zones 1 .

. Each internal DNS zone name must be unique within a given DNS view.

Each DNS view name must be unique within a given Cloudflare account.

3. Configure Gateway policies

Note The Gateway configuration must exist within the same Cloudflare account where the internal zone exists.

Besides selecting an internal DNS view when setting up your resolver policies, you can also enable the fallback through public DNS option.